How to block all traffic but one IP in windows firewall using command line

Question

I have a project and for it I need to only allow connections in from a certain subnet, everything else must be dropped. The catch is that its all going to be automated, no user interaction, there for the other answers showing how to use the GUI in windows are no good. I have a Python script that runs the windows shell command (netsh advfirewall...) that makes all the rules I want, however if I add a block all rule it overwrites all my allow rules. I tried adding it first as well as last on the list of rules, I'm not sure what I'm doing wrong. Attached are my commands/rules

import subprocess

#allow connections over port 80 and 443 tcp
subprocess.call('netsh advfirewall firewall add rule name="allow port 80 tcp in" dir=in localport=80 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 80 tcp out" dir=out localport=80 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 443 tcp in" dir=in localport=443 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 443 tcp out" dir=out localport=443 protocol=tcp action=allow', shell=True)

#allow icmt v4/v6 in/out
subprocess.call('netsh advfirewall firewall add rule name="allow port icmpv4 in" dir=in protocol=icmpv4 action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port icmpv6 in" dir=in protocol=icmpv6 action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port icmpv4 out" dir=out protocol=icmpv4 action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port icmpv6 out" dir=out protocol=icmpv4 action=allow', shell=True)

#allow ssh (port 20) via specific subnets
subprocess.call('netsh advfirewall firewall add rule name="allow port 20 in" dir=in localport=20 remoteip =10.0.0.0/8 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 20 in" dir=in localport=20 remoteip =192.168.0.0/16 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 20 in" dir=in localport=20 remoteip =172.0.0.0/8 protocol=tcp action=allow', shell=True)

subprocess.call('netsh advfirewall firewall add rule name="allow port 20 out" dir=out localport=20 remoteip =10.0.0.0/8 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 20 out" dir=out localport=20 remoteip =192.168.0.0/16 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 20 out" dir=out localport=20 remoteip =172.0.0.0/8 protocol=tcp action=allow', shell=True)

#allow rdp (port 3389) via specific subnets

subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 in tcp" dir=in localport=3389 remoteip =10.0.0.0/8 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 in tcp" dir=in localport=3389 remoteip =192.168.0.0/16 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 in tcp" dir=in localport=3389 remoteip =172.0.0.0/8 protocol=tcp action=allow', shell=True)

subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 out tcp" dir=out localport=3389 remoteip =10.0.0.0/8 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 out tcp" dir=out localport=3389 remoteip =192.168.0.0/16 protocol=tcp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 out tcp" dir=out localport=3389 remoteip =172.0.0.0/8 protocol=tcp action=allow', shell=True)

subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 in udp" dir=in localport=3389 remoteip =10.0.0.0/8 protocol=udp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 in udp" dir=in localport=3389 remoteip =192.168.0.0/16 protocol=udp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 in udp" dir=in localport=3389 remoteip =172.0.0.0/8 protocol=udp action=allow', shell=True)

subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 out udp" dir=out localport=3389 remoteip =10.0.0.0/8 protocol=udp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 out udp" dir=out localport=3389 remoteip =192.168.0.0/16 protocol=udp action=allow', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="allow port 3389 out udp" dir=out localport=3389 remoteip =172.0.0.0/8 protocol=udp action=allow', shell=True)

#Block all connections
subprocess.call('netsh advfirewall firewall add rule name="block all inbound" dir=in protocol=any action=block', shell=True)
subprocess.call('netsh advfirewall firewall add rule name="block all outbound" dir=out protocol=any action=block', shell=True)

Answer 1

So I kept on doing research and it appears something I overlooked initially is that block comments take precedence over everything else- regardless of where they are placed. The only way to do what I want is to set windows firewall to block everything by default and then set allow rules. To do that with netsh you would do:

netsh advfirewall set allprofiles firewallpolicy blockinbound

you can also block outbound by adding a comma and allow by changing block to allow.